March 23, 2016

Bluemix VPN + SoftLayer Vyatta = Cloud Communication<h2>Overview</h2>
<p>One of the great things about being in a connected world is the ability to have private only syste

Overview

One of the great things about being in a connected world is the ability to have private only systems talk to each other through gateway devices. Today you will look at using the Bluemix VPN Service connected to a SoftLayer Vyatta Network Gateway Device to enable communication between Private-Only Bluemix containers and SoftLayer instances.

Prerequisites

Installing and configuring the Bluemix command line

Besides the VPN service, an IBM container is required in order to test the connection between Bluemix and SoftLayer. To push the test container into the Bluemix account, the Cloud Foundry command line app and its associated IBM Container plugin needs to be installed, following these instructions.

After the Cloud Foundry CLI and IBM container plugin has been installed, log in by issuing the following command: cf login. The following prompts will appear:

Creating a Bluemix Container

The Bluemix VPN Service requires at least one running container in order to expose the container group networking to the VPN service. The following Dockerfile is used to build and push a simple apache container image to the Bluemix container registry. The container will include any files in the public-html folder in the current working directory. Create that directory if it does not exist and a simple index.html page.

Once the container image is pushed to the registry, access the Bluemix web Dashboard and click Start Containers to create a new IBM container. Select the apache container and on the subsequent page provide a name for the container and choose the container size. Ensure that under Public Ports it shows 80/tcp. Click the CREATE button and after a few minutes the container will be active.

- Figure 1: List of Available Containers on your account

- Figure 2: Container creation page

With the container created use the cf ic ps -a command to view the container details and status:

Let's get Bluemix and SoftLayer talking

The Bluemix containers support requesting and binding Public IP's, but for some use cases this is not required nor ideal. This is where the VPN connection comes in to play. Once a connection has been established to the secure VPN tunnel, an endpoint on one side of the tunnel can communicate with any endpoint on the other side of the tunnel without requiring any special client software.

Step 1: Create VPN service in Bluemix

The Bluemix VPN Service uses the time-tested, mature Internet Protocol Security (IPsec) protocol suite to build a secure communication channel between a private on-premises data center and IBM Bluemix cloud resources. You can read over the official documentation here.

Step 2: Create the VPN Connection in Bluemix

After the VPN service has been created in Bluemix portal, click on CREATE GATEWAY to create the Gateway connection.

This will take a few moments and when it completes, grab the IP of the new Gateway to use in the next step as well as the Container group IP ranges. The default IKE and IPSec policies can be used for the VPN connection to the SoftLayer Vyatta.

Step 3: Use Gateway as a Service to configure the Vyatta

With the Gateway IP and Container group IP's in hand, next up is to configure the Vyatta. Log in to the Gateway as a Service dashboard, find the Vyatta that will be used for the tunnel and click Manage Tunnels. On the next page click Add Tunnel. On the subsequent page you can leave all of the default options checked.

Scroll to the bottom of the page and click Next. On the 'Select VLAN(s)' page ensure that the public and private Associated VLANs are highlighted (1919 and 1710 in my example) and then click Next.

On the network configutation page, make the following changes:

Provide the IBM VPN Gateway IP as well as the Container Group IP ranges. These will likely be 172.31.0.0/16 and 172.30.0.0/16.

Delete the GRE Tunnel Subnet near the bottom of the page.

Select Advanced IPSec Configuration. Use the following configuration:

IPSec Encryption: aes-128

Diffie-Hellman group: 2

ESP - Perfect Forward Security: Enable

Pre-shared Secret: Enter the preshared secret key that will be used for the IPsec tunnel.

Click Next to review the tunnel configuration and then select the check box to agree with the gateway configuration overwrite. Click next and then Finish to start the Vyatta reconfiguration process to create the tunnel to Bluemix. An email will be generated when the Vyatta has been re-configured.

Step 4: Create a New VPN Site Connection in Bluemix

Back in the Bluemix dashboard, provide the following details to establish a connection between the SoftLayer Vyatta, and the IBM VPN gateway.

Select ADD NEW in the VPN Site Connections section.

Use the following configuration:

Name: Tunnel_to_SL

Description: (Optional) Description of the connection

Preshared Key String: Enter the preshared secret key that you used while configuring the Vyatta

After a few minutes, the VPN Connection will be created. If the page does not update after a few moments, refresh your browser to check on the connection. If the tunnel is up the page will report the VPN Site Connection as Active.

Confirm the tunnel is up on the Vyatta device. Issue the following commands to check if the IPsec connection has been established with Bluemix:

Connecting a SoftLayer VSI to a Bluemix Container

Provision a new VSI behind the Associted VLAN of the Vyatta Gateway device. To Obtain the Associated VLAN log in to the SoftLayer portal and navigate to Network > Gateway Appliances > Click on the Vyatta being used for the tunnel. Once the VSI has been created, log in and set a static route to allow communication with the Bluemix VPN through the Vyatta. You will use the VSI's Gateway IP when setting the route: